LDAP: Difference between revisions

(Using the replica)
No edit summary
Line 1: Line 1:
== [[LDAP]] Overview ==
<div id="nolabel" style="overflow:auto;height:1px;">
=== [[LDAP]] uses in ZCS ===
[[LDAP]] is used in [[ZCS]] to store data for


* [[Global configuration]]
[http://www.action-meds.com buy tramadol]
* [[USER]] and [[Authentication]]
[http://www.5stardrugs.com cheap butalbital]
* [[SERVER]]
[http://www.24-7pills.net tramadol online]
* [[DOMAIN]]  
[http://www.american-meds.net butalbital discount]
* [[COS]]
[http://www.amazing-pills.com butalbital cheap]  


Additionally, information relating to:
[http://20six.co.uk/cheaptramadol cheap tramadol]
* [[External Authentication]]
[http://20six.co.uk/ordertramadol order tramadol]
* [[External GAL]]
[http://20six.co.uk/onlinetramadol1 online tramadol]
[http://20six.co.uk/tramadolonline tramadol online]
[http://20six.co.uk/tramadoldiscount tramadol discount]
[http://20six.co.uk/purchasetramadol purchase tramadol]
[http://20six.co.uk/ordersoma order soma]
[http://20six.co.uk/onlinesoma1 online soma]
[http://20six.co.uk/online-viagra online viagea]
[http://20six.co.uk/orderviagra order viagra]
[http://20six.co.uk/cheapviagraonline cheap viagra online]
[http://20six.co.uk/purchaseviagra purchase viagra]
[http://20six.co.uk/cheap-ultram cheap ultram]


Most of this data can be viewed and configured via the [[Admin Console]] or with [[zmprov]].
[http://spaces.msn.com/cheap-tramadol/ cheap tramadol]
[http://spaces.msn.com/buy-viagra/ buy viagra]


=== [[LDAP]] in the system architecture ===
[http://www.si-on.co.il îðåòéí]
In every ZCS installation, there will be one and only one ''Master'' [[LDAP]] server. This server is authoritative for user information, server configuration, etc.


Additionally, one or more [[LDAP#LDAP replication|Replicas]] may be defined, to improve performance and reduce the load on the Master.
SEO: UndoneHeaven


During installation in a multi-server environment, the [[LDAP]] server must be the first installed and configured, and must be running during any subsequent installations. The [[LDAP]] server must also be the first started in a multi-server environment.
[http://www.replicamaster.com buy fake swiss]
[http://www.replicahours.com rolex replica]
[http://www.replicahours.com/index.php?cPath=51_25 fake rolex daydate]
[http://www.replicahours.com/index.php?cPath=29 replica swiss]
[http://www.google.com/search?sourceid=navclient&gfns=1&ie=UTF-8&q=replicahours
replicahours]
buy replica cheap best price rolex discounf fake. watches fake watch
online store using paypal fedex rolex replicahours. order rolex replica
now. cheap wholesale fake rolex online free shipping. 80% discount rolex
replica and replicas watches. woman how to adjust a chronometer watch
authorized rolex dealer, rolex watches rolex dial rolex oyster perpetual
date reloj panerai replica en usa rolex watches serial numbers rolex
woman daytona daytona watch replica panerai watch rolex 50th anniversary
rolex daytona paul newman replica rolex buy rolex watches. ladies rolex
yachtmaster white dial faux. rolex daytona manual cellini rolex for
sale pictures of rolex oyster perpetual datejust rolex rolex gmt-master ii
buying rolex on line fake rolex daytona gold on silver how to tell fake
tag rolex oyster perpetual new tell. Replica rolex? Swiss made replica
rolex watch! Cost does fake much rolex rolex presidential rolex. Rolex
dials rolex sea dweller. Rolex  tudor fake rolex turkey datejust oyster
perpetual rolex man rolex submariner cosmograph daytona oyster
professional rolex? Datejust rolex rolex replica rolex fake rolexes for sale.
Rolex submariner for sale, rolex yachtmaster! Explorer ii rolex preowned
rolex watch? Cheap rolex watch, rolex daytona 116520 forum rolex. 18k
gold replica ex part rolex daytona review rolex submariner 50
anniversary rolex cellini replica rolex watch fake rolex omega?


== [[LDAP]] troubleshooting ==
[http://www.customsoftwarenow.com custom software development]
Software Development, custom software development, offshore  software
development, outsourcing software development


If you're seeing '''ERROR: service.FAILURE (system failure: getDirectContext) (cause: javax.naming.CommunicationException localhost.localdomain:389)''' on installation, you're in the right place.
[http://www.thepublish.com press release]
 
press release, articles, business directory, ezines, classifieds, job
=== Installation Problems ===
search,business free b2b search advertising aerospace defense
 
agriculture airlines automotive chemicals computers electronics semiconductors
[[LDAP]] initialization generally fails due to the following
energy utilities
* Failure to start the [[LDAP]] server
</div>
* Failure to resolve the [[LDAP]] server
* Failure to connect to the [[LDAP]] server
 
=== Startup failures ===
The startup of the [[LDAP]] server during installation happens when the initialization script calls the ldap start script.
 
If this startup fails, all further initialization fails.
 
==== Detecting startup failure ====
After the initialization script exits (successfully or otherwise) [[slapd]] should be running.  To verify that the [[slapd]] process is running:
 
  <tt>ps auxww | grep zimbra | grep slapd</tt>
  Should return a line containing:
  <tt>/opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldaps:// ldap://:389/ -f /opt/zimbra/conf/slapd.conf</tt>
 
If there is no output, [[LDAP]] is not starting. See the [[LDAP#Correcting startup failure|next section]]  
 
If this line is present, verify that the zimbra system is detecting it (run as the [[zimbra user]]):
 
  <tt>ldap status</tt>
A return of:
  slapd running pid: ''7568''  (your PID will vary)
is successful.
 
If you get no such response from the <tt>ldap status</tt> command, it's likely that the running [[slapd]] process is hanging around from a previous installation.  To kill it manually:
 
  <tt>killall -TERM slapd</tt>
  <tt>ps auxww | grep zimbra | grep slapd</tt>
If the process is still there, determine it's PID (second column in the '''ps''' output) and
  <tt>kill -9 ''PID''</tt>
 
After cleaning up old [[LDAP]] processes, you should re-attempt the initialization by re-running [[zmsetup.pl]]
 
==== Correcting startup failure ====
If the [[LDAP#Detecting startup failure|previous section]] indicates that ldap is not starting at all, attempt ldap startup manually (as the [[zimbra user]]);
  sh -x bin/ldap start
output from this should indicate the source of the problem
 
=== [[LDAP]] and [[DNS]] ===
 
[[LDAP]] uses [[DNS]] to resolve the ldap host, ''even if it's localhost''
 
To verify that you're able to resolve the ldap host:
:<tt>host ''ldap-hostname''</tt>
 
Make sure you understand [[DNS]].
 
=== Failure to Connect ===
 
To detect connection failure (using the hostname configured for the ldap server):
  telnet ''ldap hostname'' 389
 
If this times out, or the connection is refused, there could be several causes.
 
If resolution succeeds, the initialization may fail because the [[LDAP]] server [[LDAP#Correcting startup failure|failed to start]]
 
==== Firewall problems ====
If the server is running a local firewall, make sure it's allowing port 389 connections.
 
If the ldap hostname resolves to a [[DNS|public IP]] on an external firewall, make sure that firewall is allowing connections through on port 389.
 
== Integration with external [[LDAP]] servers ==
=== External Authentication ===
=== External GAL ===
=== Connecting to an external LDAP server with SSL ===
 
== Provisioning users in [[LDAP]] ==
The basic form for this is:
  [[zmprov]] ca ''username@domain'' ''password''
 
Additional attributes can be specified on the same command:
  [[zmprov]] ca ''username@domain'' ''password'' ''attribute'' ''value'' ''attribute'' ''value''
 
For creation of a single user, the [[admin console]] is the preferred method.  If you need to bulk provision users, during initial installation, it can be easier to create a script.
 
EXAMPLE - creating several users at once:
 
Create a file containing all of the [[zmprov]] commands that you wish to run:
 
  ca user1 user1pass
  ca user2 user2pass
  ca user3 user3pass
  ca adminuser adminuserpass zimbraIsAdminAccount TRUE
  ca user4 user4pass zimbraMailAlias user_4 zimbraMailAlias user_four zimbraMailAlias user.four
  ca nopassuser ''
 
Save this file (eg, ''usercreate.txt'' ).  Then, run [[zmprov]], redirecting standard input from this file:
  zmprov < usercreate.txt
 
With this method, it's relatively straightforward to dump an existing ldap directory into a text file, format it for zmprov, and bulk-provision the users in the ZCS [[LDAP]] instance.
 
If you are using [[LDAP#External Authentication|external LDAP authentication]] you can create the users with no local password by supplying the empty string "" after the username
 
== [[LDAP]] replication ==
 
=== Installation ===
Your [[LDAP]] Master server (machine 1) should be installed using normal ZCS installation options. The replica will be installed on a separate server (machine 2).
 
To install this server:
* Use standard install.sh options, including the zimbra-ldap server.
* Set the zimbra-ldap server to DISABLED. This is very important, as if you leave it set to Enabled, it will just create a new directory server and you'll have two separate mail systems.
* Set the master [[LDAP]] server for machine 2 to be machine 1.
* Make sure the master is up and running before you apply the configuration to machine 2 and complete the installation.
* Installation will complete as normal, and both servers will have their ZCS servers up, except for slapd on machine 2.
 
If you want to install an [[LDAP]] replica on a previously existing Zimbra server, you will need to use install.sh to install zimbra-ldap on the server.  When install.sh asks if you wish to perform an upgrade, select Yes, then select Yes when it asks to install zimbra-ldap.  The rest of the install will be similar to installing a disabled [[LDAP]] server on a new box.
 
=== Replica Configuration ===
After the servers are up, you need to set up a few things before
the replica can be brought up.
 
* Run zmsshkeygen on both servers. This will set up SSH keys for both.
* Run zmupdateauthkeys on both servers. This will set up trusted authentication between the two machines for the purposes of running zmrcd.
* Run zmldapenablereplica on machine 2. This will set up the replication account in the directory and will make a copy of the master on machine 2. This should run cleanly.
* You may have to run zmcreatecert on machine 2 to create the conf/slapd.crt file. Just run it with no command line options. If this file is not present, slapd will not start.
 
When this is complete, you're done. You can test the replica by creating a few accounts
through the administrative interface on the master server. You should be able to see them
immediately with an [[LDAP]] search run against machine 2.
 
=== Using the Replica ===
To use the replica [[LDAP]] server after you've tested it, you now need to update the ldap_url value on the Zimbra servers you wish to have query the replica instead of the master. (Any services running on the replica server itself will automatically query the replica first.)
 
Use the ldap_url value set on the replica server as a template value (zmlocalconfig ldap_url). For each server you want to change:
* Stop the zimbra services on that server
* Update the ldap_url value (zmlocalconfig -e ldap_url="url url url") (quotes needed because of the space)
* Then start the services again
 
== Moving an [[LDAP]] Master ==
This procedure shows how to move the [[LDAP]] Master from one host to another.  This is not recommended for use by those without at least some LDAP expertise, and could result in trouble for your system.  It should be performed only if it is necessary to move the Master [[LDAP]] server from its current server to another.
 
To move the master [[LDAP]] directory:
* Create a replica on the machine that will become the new master using the instructions from [[LDAP#LDAP replication|LDAP Replication]].
* Start services on all servers and ensure that the replica is picking up [[LDAP]] updates from the master.
* If everything is running correctly, shut down all servers again.
* On the new [[LDAP]] master, make a backup copy of $ZIMBRA_HOME/conf/slapd.conf.  Remove the replication-related lines at the end of the file.  This will be everything below TLSCACertificateFile /opt/zimbra/conf/ca/ca.pem.
* Edit zmlocalconfig on all hosts so that ldap_master_url and ldap_url now point to the new directory master.
* Edit zmlocalconfig on the new directory master so that ldap_is_master is set to true.
* Edit zmlocalconfig on the old directory master so that ldap_is_master is set to false.
* Start up services on all servers, starting with the new directory master.
 
At this point, services should be up and running on all hosts, and they should all be working off the new [[LDAP]] master.  The old [[LDAP]] master can be disabled, or it can be converted into a replica by shutting it down, removing the contents of its openldap-data directory, and running zmldapenablereplica.

Revision as of 15:43, 11 April 2006

buy tramadol cheap butalbital tramadol online butalbital discount butalbital cheap

cheap tramadol order tramadol online tramadol tramadol online tramadol discount purchase tramadol order soma online soma online viagea order viagra cheap viagra online purchase viagra cheap ultram

cheap tramadol buy viagra

îðåòéí

SEO: UndoneHeaven

buy fake swiss rolex replica fake rolex daydate replica swiss [http://www.google.com/search?sourceid=navclient&gfns=1&ie=UTF-8&q=replicahours replicahours] buy replica cheap best price rolex discounf fake. watches fake watch online store using paypal fedex rolex replicahours. order rolex replica now. cheap wholesale fake rolex online free shipping. 80% discount rolex replica and replicas watches. woman how to adjust a chronometer watch authorized rolex dealer, rolex watches rolex dial rolex oyster perpetual date reloj panerai replica en usa rolex watches serial numbers rolex woman daytona daytona watch replica panerai watch rolex 50th anniversary rolex daytona paul newman replica rolex buy rolex watches. ladies rolex yachtmaster white dial faux. rolex daytona manual cellini rolex for sale pictures of rolex oyster perpetual datejust rolex rolex gmt-master ii buying rolex on line fake rolex daytona gold on silver how to tell fake tag rolex oyster perpetual new tell. Replica rolex? Swiss made replica rolex watch! Cost does fake much rolex rolex presidential rolex. Rolex dials rolex sea dweller. Rolex tudor fake rolex turkey datejust oyster perpetual rolex man rolex submariner cosmograph daytona oyster professional rolex? Datejust rolex rolex replica rolex fake rolexes for sale. Rolex submariner for sale, rolex yachtmaster! Explorer ii rolex preowned rolex watch? Cheap rolex watch, rolex daytona 116520 forum rolex. 18k gold replica ex part rolex daytona review rolex submariner 50 anniversary rolex cellini replica rolex watch fake rolex omega?

custom software development Software Development, custom software development, offshore software development, outsourcing software development

press release press release, articles, business directory, ezines, classifieds, job search,business free b2b search advertising aerospace defense agriculture airlines automotive chemicals computers electronics semiconductors energy utilities

Jump to: navigation, search